Configuring reputation data

You can build a repository of reputation data from various sources, such as Palo Alto WildFire, ReversingLabs, and VirusTotal. These sources determine threat levels for files, processes, IP addresses, domain names, and so on. Other Tanium products, such as Trace, can use this data to give an indication of potentially malicious files. You can also send reputation data to supported Connect destinations.

If you previously configured a WildFire or VirusTotal source for a connection, the settings are imported into the reputation source settings.

Overview

The reputation service runs on the Tanium Module Server and is started when you install Connect. Reputation is a service that queries reputation providers for threat intelligence about given file hashes.

The reputation database is a cache that consists of reputation items. When configured, reputation items are scanned by a reputation source. A reputation source is a service that determines whether a reputation item is considered to be malicious, non-malicious, suspicious, or has an unknown status.

Configure reputation service settings

Reputation service settings determine the contents of the reputation database. These settings determine how often reputation items are scanned in the reputation source, how long to consider items as new, and how long to keep items in the database if their reputation status has not been referenced. For more information about these settings and how they affect the reputation items, see Reputation item life cycle.

To update these settings, go to the Connect home page. Click Settings . Click the Reputation Service Settings tab.

The Keep Reports setting determines whether you want the full reports from the reputation source to be kept in the reputation database. You can choose to keep all reports, or only malicious and suspicious reports. Selecting only malicious and suspicious reports saves space in the database. If you are using VirusTotal as a connection source, use the keep all reports option to get the enhanced reporting information.

Reputation item life cycle

A reputation item remains in the database as long as the Tanium processes are accessing the status of the item. The status of the reputation items is kept up to date based on the settings for the reputation service and provider.

Reputation items are added to the reputation database

As long as the maximum database size is not exceeded, reputation items get added to the reputation database in the following scenarios:

When a new hash gets identified by a Tanium process, such as Trace.

When a list of hashes gets sent to Connect from a saved question connection source.

When the reputation items are first added, it is unknown whether they are malicious. The reputation item state most likely starts out as unknown or pending.

Reputation items are scanned

How long it takes for an initial scan of the items depends on your configured reputation service settings.

If you have multiple reputation service providers configured, a reputation item is created for each reputation source. For example, for a single hash, three separate reputation items are created for WildFire, ReversingLabs, and VirusTotal.

VirusTotal

The settings for VirusTotal determine how many hashes are sent at a time, and how many times the API is called in one minute. For more information about these settings, see Configure VirusTotal reputation source.

Reputation items are rescanned

Reputations might change for reputation items over time. When an item is rescanned, it is checked against the reputation sources again. For more information about configuring the rescanning properties, see Configure reputation service settings.

The Rescan Item Interval setting is global for all reputation provider types. The value determines how often items get rescanned. For example, if this value is set to 1 day, all of the items in the database get checked every day.

Wildfire

Items are only scanned on the Rescan Item Interval value.

ReversingLabs A1000

You can configure items to be rescanned as ReversingLabs A1000 gets new reputations for hashes.

The Maximum Age of New Items setting gets compared with the First Seen attribute in ReversingLabs A1000. The First Seen attribute is the date at which ReversingLabs A1000 first recorded any instance of that hash. If the item is less than the configured maximum, the item is rescanned. How often the new items are rescanned is determined by the Rescan New Item Interval setting.

ReversingLabs TitaniumCloud

You can configure items to be rescanned as ReversingLabs TitaniumCloud gets new reputations for hashes.

The Maximum Age of New Items setting gets compared with the First Seen attribute in ReversingLabs TitaniumCloud. The First Seen attribute is the date at which ReversingLabs TitaniumCloud first recorded any instance of that hash, from any ReversingLabs TitaniumCloud customer. If the item is less than the configured maximum, the item is rescanned. How often the new items are rescanned is determined by the Rescan New Item Interval setting.

VirusTotal

If you have a paid API key for VirusTotal, you can configure items to be rescanned as VirusTotal gets new reputations for hashes.

The Maximum Age of New Items setting gets compared with the First Seen attribute in VirusTotal. The First Seen attribute is the date at which VirusTotal first recorded any instance of that hash, from any VirusTotal customer. If the item is less than the configured maximum, the item is rescanned. How often the new items are rescanned is determined by the Rescan New Item Interval setting.

When you are configuring these settings, be careful to keep the number of API calls within the bounds of your agreement with VirusTotal.

Items are removed from the reputation database

When the number of days in the Remove Item Interval value passes, and that item has not been queried by a saved question or other Tanium process to check its status, the item is removed from the database.

A reputation item can be re-added to the database if the hash gets found again.

Configure Palo Alto Networks WildFire reputation source

You can use Palo Alto Networks firewall security policies to capture suspicious files and forward them to the WildFire system for threat analysis. If the file is malware, the status is reported back to the firewall.

After the WildFire analysis is completed, the reputation service can query the results and update the reputation data.

Prerequisites

A subscription to Cloud WildFire (wildfire.paloaltonetworks.com) or a configured WF-500 WildFire appliance.

Configure Palo Alto Networks WildFire reputation source

Specify settings, including the host of your WildFire instance and the API key.

Enable Palo Alto Networks WildFire reputation source

To enable or disable a reputation source, click the dot next to the name of the reputation source. When the dot is green, the reputation source is enabled. When the dot is red, the reputation source is disabled.

Configure ReversingLabs A1000 reputation source

ReversingLabs is an application that companies can install locally to analyze files and provide reputation results through API requests or a web interface.

Prerequisites

You must already have a ReversingLabs API token. If you have not already registered for ReversingLabs access, contact their sales team at reversinglabs.com.

Configure settings

Add your ReversingLabs A1000 credentials: the URL for your API access and your API Token. Adjust the settings for New/Pending hashes per query and New/Pending queries per minute according to your API agreement with ReversingLabs A1000 and your network requirements.

Enable ReversingLabs A1000 reputation source

To enable or disable a reputation source, click the dot next to the name of the reputation source. When the dot is green, the reputation source is enabled. When the dot is red, the reputation source is disabled.

Configure ReversingLabs TitaniumCloud reputation source

ReversingLabs TitaniumCloud is an online service that analyzes files, hashes, and URLs to identify viruses, worms, trojans, and other kinds of malicious content that is detected by antivirus engines and website scanners. The reputation service sends reputation items to the ReversingLabs API and returns the results to the reputation database.

Prerequisites

You must already have a ReversingLabs TitaniumCloud account. If you have not already registered for ReversingLabs TitaniumCloud access, contact their sales team at reversinglabs.com.

Configure settings

Add your ReversingLabs TitaniumCloud credentials: the URL for your API access, your Username, and your Password.Adjust the settings for New/Pending hashes per query and New/Pending queries per minute according to your API agreement with ReversingLabs and your network requirements.

Enable ReversingLabs TitaniumCloud reputation source

To enable or disable a reputation source, click the dot next to the name of the reputation source. When the dot is green, the reputation source is enabled. When the dot is red, the reputation source is disabled.

Configure VirusTotal reputation source

VirusTotal is an online service that analyzes files, hashes, and URLs to identify viruses, worms, trojans, and other kinds of malicious content that is detected by antivirus engines and website scanners. The reputation service sends reputation items to the VirusTotal API and returns the results to the reputation database.

Prerequisites

Register for a VirusTotal API key at virustotal.com. VirusTotal makes their catalog available for query with an API key. Refer to the VirusTotal API use policy to determine which type of API key is appropriate.

To get the API key on the VirusTotal website, sign in and click your_user_image > Settings > API Key.

Configure settings

Adjust the settings for Batch Size and Maximum Calls per Minute according to your agreement with VirusTotal.

The Positive Threshold is a number of positive reports that must be on the hash to be considered a potential threat or malware.

The likelihood that VirusTotal reports might include false positive indicators is higher when the value is set lower.

Example: If you set the value to 3, then three VirusTotal engines must report an item as malicious for the item to be sent to Connect. Setting the value to 0 disables the threshold. If any VirusTotal engine reports that item as malicious, the item is sent to Connect.

Enable VirusTotal reputation source

To enable or disable a reputation source, click the dot next to the name of the reputation source. When the dot is green, the reputation source is enabled. When the dot is red, the reputation source is disabled.

View reputation scan status

The Reputation Data page displays the total number of reputation items, and the following information about each reputation source:

Items: Total number of reputation items on this reputation source.

New: Reputation items that still need to be scanned on this reputation source.

Processed: Reputation items that have been scanned on this reputation source.

Malicious: Percentage of items out of total reputation items that are malicious.

Send reputation data to Connect destinations

You can create a connection to send the data that is in the reputation database to any Connect destination. For example, you might configure a connection to create an email notification when a malicious item is found.

Create a new connection.

When you select a source for the connection, select Reputation Service. You can also select the reputation status to include.

Configure the destination settings for the connection.

Send data to the reputation service

If you want to pre-populate reputation data with hashes from your environment, you can send data to the reputation service as a connection destination. When this content is pre-populated, the reputation service can start querying about the status of the items from the reputation sources.

Create a new connection.

For the source, choose a saved question that returns a hash, such as Get Running Processes with MD5 Hash from all machines.

For the destination, choose reputation service and select the appropriate hash type for the Hash Field.

Each reputation service connection destination is configured for a specific hash column name. You must use a separate destination for each hash type that you are populating. For example, if you are populating both MD5 and SHA1 hashes from different saved questions, create two connection destinations with different values for the Hash Field field.

View reputation data

To view a list of the malicious hashes that Connect has pulled from the reputation services, click the Malicious Reputations tab. Only hashes with a malicious or pending status are listed.

View Whitelist/Blacklist data

You can add reputation data hashes to the Whitelist/Blacklist from the Whitelist/Blacklist tab in the Reputation Data page. To add hashes that are known to be malicious to the Blacklist, click Add Hashes, enter the hashes, choose blacklist, and click Save to Blacklist. To add hashes that are known to be false detections to the Whitelist, click Add Hashes, enter the hashes, choose whitelist, and click Save to Whitelist.

You can also choose to replace, delete, or export all of the reputation data hashes from the Whitelist/Blacklist. To replace all of the hashes, click Replace All, enter the hashes in CSV format or use the exported Whitelist/Blacklist, and click Ok.

To view a list of hashes that have been whitelisted or blacklisted, click the Whitelist/Blacklist tab.